News type
Date end
News memo
On 1 October 2020, the Hamburg Commissioner for Data Protection and Freedom of Information imposed a 35.3 million € fine on the Hamburg-based company Hennes & Mauritz Online Shop. In its service centre in Nuremberg, private information on several hundred employees had been collected without their knowledge since 2014, including on their state of health and personal relationships. Through one-on-one talks and corridor conversations supervisors were able to acquire a broad knowledge of each employee's private life, ranging from harmless details to family problems and even religious confession, and stored this in a digital personnel file with a high level of detail. Due to a configuration error, this data was made accessible to the entire workforce for a few hours in October 2019 and was discovered by some employees by chance. H & M now wants to pay a financial compensation of 2,500 € to each one affected for the violation of their privacy. The scandal also led to the first election of a works council at the Nuremberg service centre in summer 2020.
The fine is intended to deter employers from violating privacy and is based on the EU General Data Protection Regulation, which is in force since May 2018 (see report in EWC News 1/2016). According to Article 83, fines must be "effective, proportionate and dissuasive" and can represent up to 4% of the total annual turnover generated worldwide. Recital 36 of the EWC Directive also requires "sanctions that are effective, dissuasive and proportionate to the gravity of the infringement". However, in a report in May 2018, the European Commission found "that in most Member States dissuasive and proportionate sanctions are not imposed" when European works council rights are disregarded (see report in EWC News 2/2018).
Source Info
News Ref
4/2020
News date